All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@alin  You can refer to below video for the instructions. https://www.youtube.com/watch?v=pJferqpXcsc&t=16s
@alin  Stop Splunk Enterprise Find the passw file for your instance ($SPLUNK_HOME/etc/passwd) and rename it to passwd.bk Create a file named user-seed.conf in your $SPLUNK_HOME/etc/system/local/ d... See more...
@alin  Stop Splunk Enterprise Find the passw file for your instance ($SPLUNK_HOME/etc/passwd) and rename it to passwd.bk Create a file named user-seed.conf in your $SPLUNK_HOME/etc/system/local/ directory. In the file add the following text: [user_info] PASSWORD = NEW_PASSWORD In the place of "NEW_PASSWORD" insert the password you would like to use. Start Splunk Enterprise and use the new password to log into your instance from Splunk Web. If you previously created other users and know their login details, copy and paste their credentials from the passwbk file into the passwd file and restart Splunk
You must have heard the phrase, time is of essence.  This is especially true in time series such as Splunk.  Could you start from the beginning and describe your use case?  What is the input, what is... See more...
You must have heard the phrase, time is of essence.  This is especially true in time series such as Splunk.  Could you start from the beginning and describe your use case?  What is the input, what is the expected output, and what is the logic between input and expected output without SPL?
Hello I have a question about using python library in the algorithm of Splunk ML Toolkit. Open the ARIMA.py file in the path splunk/etc/apps/Splunk_ML_Toolkit/bin/algos as below. === Contents ... See more...
Hello I have a question about using python library in the algorithm of Splunk ML Toolkit. Open the ARIMA.py file in the path splunk/etc/apps/Splunk_ML_Toolkit/bin/algos as below. === Contents === [root@master algos]# pwd /opt/splunk/etc/apps/Splunk_ML_Toolkit/bin/algos [root@master algos]# [root@master algos]# more ARIMA.py #!/usr/bin/env python import datetime import pandas as pd import numpy as np from statsmodels.tsa.arima.model import ARIMA as _ARIMA from statsmodels.tools.sm_exceptions import MissingDataError ========================= Among the contents of ARIMA.py , it says import pandas aspd Where is Pandas bringing up the library in? When I run ARIMA.py as below, I get a message that the module is not found. === Execution Results === [root@master algos]# python3 ARIMA.py Traceback (most recent call last): File "ARIMA.py", line 5, in <module> import pandas as pd ModuleNotFoundError: No module named 'pandas' [root@master algos]#
i want to reset my spluk enterprise password 
Currently we connect to PostgreSQL database using username/password authentication. Now we need to switch to certificate based authentication. I've created certificate in the server. Can anyone plea... See more...
Currently we connect to PostgreSQL database using username/password authentication. Now we need to switch to certificate based authentication. I've created certificate in the server. Can anyone please guide me how to configure this in DBConnect  Web GUI?
This worked for me on a fresh dashboard, thank you.   I tried this on an existing dashboard though and quickly found out that if you get the numbers even off a little, you end up hiding/deleting (I ... See more...
This worked for me on a fresh dashboard, thank you.   I tried this on an existing dashboard though and quickly found out that if you get the numbers even off a little, you end up hiding/deleting (I wasn't sure what actually happened) other panels elsewhere on the dashboard - It's like they get pushed off into the ether.  I ended up having to rebuild the dashboard from scratch A friendly heads-up for anyone that comes along in the future!
Yes restarted the splunk
failed to start kv store process. see mongod.log and splunkd.log for details. Plz help
Hello. I have created an index under a custom app from splunk web it is reflecting but we I have set up the univarsal forwarder to monitor logs for same index it is not reflecting anything on indexer... See more...
Hello. I have created an index under a custom app from splunk web it is reflecting but we I have set up the univarsal forwarder to monitor logs for same index it is not reflecting anything on indexer.   Also my kb store showing status failed and tell me to check mongod.log and splunk key   , please help in this
I've tried a few methods shared here to adjust the start/end times of span. Mainly: 1 -    | eval _time=_time-3600 | bin _time span=4h | eval _time=_time+3600   2 -   | timechart span=4h align... See more...
I've tried a few methods shared here to adjust the start/end times of span. Mainly: 1 -    | eval _time=_time-3600 | bin _time span=4h | eval _time=_time+3600   2 -   | timechart span=4h aligntime=@h-120m   However after testing, neither of these is actually offsetting the span. It only changes the times shown in the resulting table. The values (in my case counts) in each box do not change, just the _time values. Am I doing something wrong? For example: _time A B C 1/28 00:00 2 1 2 1/28 04:00 4 2 4 1/28 08:00 6 3 6 1/28 12:00 8 4 8 1/28 16:00 10 5 10   _time A B C 1/27 22:00 2 1 2 1/28 02:00 4 2 4 1/28 06:00 6 3 6 1/28 10:00 8 4 8 1/28 14:00 10 5 10
Greetings,  Are there any official AWS CFT Templates to create necessary roles, SNS/SQS Services to use Splunk Add on for AWS to ingest Cloudtrail Data into Splunk? 
On the IDX's server.conf you need to add this line in the [sslConfig] stanza: serverCert = /opt/splunk/etc/auth/mycerts/myCombinedServerCertificate.pem Then delete the sslPassword line from your se... See more...
On the IDX's server.conf you need to add this line in the [sslConfig] stanza: serverCert = /opt/splunk/etc/auth/mycerts/myCombinedServerCertificate.pem Then delete the sslPassword line from your server.conf if it's the default, Splunk will recreate it anyhow. That should fix it unless your cert is not prepared properly with just leaf cert + private key in the 'myCombinedServerCertificate.pem' __PRESENT __PRESENT
Hi. Can I react router nested route in Splunk ui toolkit ? Overlapping routing with react-router results in an error page upon reload.
Probably proxy server (or firewall). Typically proxy server because the ODBC driver is not proxy aware like your internet browser is. This is why others mentioned configure the proxy without explan... See more...
Probably proxy server (or firewall). Typically proxy server because the ODBC driver is not proxy aware like your internet browser is. This is why others mentioned configure the proxy without explanation. The typical solution is to add an environmental variable that the ODBC driver can see. I would recommend testing it using the following process: At the command line (in Windows) enter setx http_proxy <proxy_ip>:<proxy_port> (example setx http_proxy 132.50.12.1:443) Restart your ODBC Program (ex, PowerBi) Retest your connection If it fails, add the https_proxy the same way. If it succeeds, add it the system permanently.  Ref# Configure the proxy server - Splunk Documentation # libcurl - programming tutorial # Set up proxy using http_proxy & https_proxy environment variable in Linux? | GoLinuxCloud # windows - Command line to remove an environment variable from the OS-level configuration - Stack Ove...
Probably proxy server (or firewall). Typically proxy server because the ODBC driver is not proxy aware like your internet browser is. This is why others mentioned configure the proxy without explan... See more...
Probably proxy server (or firewall). Typically proxy server because the ODBC driver is not proxy aware like your internet browser is. This is why others mentioned configure the proxy without explanation. The typical solution is to add an environmental variable that the ODBC driver can see. I would recommend testing it using the following process: At the command line (in Windows) enter setx http_proxy <proxy_ip>:<proxy_port> (example setx http_proxy 132.50.12.1:443) Restart your ODBC Program (ex, PowerBi) Retest your connection If it fails, add the https_proxy the same way. If it succeeds, add it the system permanently.  Ref# Configure the proxy server - Splunk Documentation # libcurl - programming tutorial # Set up proxy using http_proxy & https_proxy environment variable in Linux? | GoLinuxCloud # windows - Command line to remove an environment variable from the OS-level configuration - Stack Overflow  
It is not clear what you are trying to do with your sub-search. Please clarify in non-SPL terms, what it is that you are trying to achieve.
The only option would be an external mechanism to update the inputs.conf and reload the UF? For example, have a scheduled task every hour that compares the inputs.conf and IIS configuration - if dif... See more...
The only option would be an external mechanism to update the inputs.conf and reload the UF? For example, have a scheduled task every hour that compares the inputs.conf and IIS configuration - if different, update inputs.conf and reload UF? Kind Regards Andre
Possibly a silly question, but I've wondered this for a while and now it'd actually be exactly what I need; I've got a simple http traffic monitor dash, with a graph of status message counts. Underne... See more...
Possibly a silly question, but I've wondered this for a while and now it'd actually be exactly what I need; I've got a simple http traffic monitor dash, with a graph of status message counts. Underneath, I want a panel which summarises it but ideally in 1m bins per row eg. 9:00AM - [OK] = 500                    [Too many open files] = 30                    [Connection timed out] = 2                    [Connection refused] = 1 - 9:01AM - [OK] = 459                    [Too many open files] = 21                    [Connection timed out] = 3                    [Connection refused] = 2 - 9:02AM etc. Now obvs this is a trivial stats query with a little finessing, which I've added to my dashboard as a statistics panel underneath the graph of the counts over an hour.  This achieves a common monitoring goal. I've got the hour span graph and then at-a-glance reference with 5x1min snap shots of what the web server is experiencing currently..  However, the output of a stats panel doesn't exactly look the greatest as above, what I'm actually wondering is, can I make it appear like the attached image below of the bubble popup (not sure what you guys call this), when you click on any field within a Splunk search? Like that output is perfect at-a-glance detail, count, %, and a visual bar etc. It's exactly what i'm poorly trying to replicate with my stats panel, and tbh what I've poorly replicated in many other situations. Can I replicate that in a dash somehow? Have wanted to ask this for a while...
Yes you can use tokens from a dropdown as you suggested to limit the indexes searched.